Can iCloud Be Considered HIPAA-Compliant?

Cloud storage services make it very convenient for people to share and store data. People using different devices from different locations can access the uploaded files as long as they are connected to the internet. But the question is, can healthcare organizations use iCloud to store electronic protected health information? Is iCloud HIPAA compliant?

Many cloud storage services are available for use by healthcare providers. However, cloud services need to have strong access and authentication controls to be suitable for storing and sharing ePHI. Uploaded data must be encrypted and logs should provide information on who accessed the data and what they did with the data.

iCloud is a cloud storage service provided by Apple and may be accessed through Macs, iPads and iPhones. It features both strong authentication / access controls and data encryption during storage and transfer. These security features absolutely meet the minimum requirements of HIPAA. But does that make iCloud HIPAA-compliant?

Cloud storage services are classified as business associates because they are not covered by the HIPAA Conduit Exception Rule. As a business associate, signing a business associate agreement with covered entities is required before cloud services are used with ePHI. The BAA stipulates the responsibilities of the service provider when sharing, storing or transmitting ePHI. It also explains the allowed uses and disclosures of ePHI and the required notification in case a data breach occurs.

The question is will Apple sign a BAA with covered entities? It is clear in iCloud’s terms and conditions that HIPAA-covered entities are not allowed to use iCloud for storing, sharing or transmitting ePHI or use iCloud in any way that would suggest Apple is a third-party business associate. Doing so violates the HIPAA rules.

So even though a cloud storage service features HIPAA-approved security controls to secure ePHI, if it is not covered by the conduit exception rule and if it does not sign a business associate agreement, there’s no way to allow the use of the service with any ePHI. In view of this, iCloud is not HIPAA-compliant and healthcare organizations cannot use it for sharing, storing or transmitting protected health information.